dpxkkhu1812 2014-12-09 18:28
浏览 33
已采纳

使用PHP表单进行数据库输入清理

I sanitise the data I receive from the form in the following way:

$gender = filter_var($_POST['gender'], FILTER_SANITIZE_STRING);
$firstName = filter_var($_POST['firstName'], FILTER_SANITIZE_STRING);
$lastName = filter_var($_POST['lastName'], FILTER_SANITIZE_STRING);
$email = filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);
$message = filter_var($_POST['comment'], FILTER_SANITIZE_STRING);
$address = filter_var($_POST['address'], FILTER_SANITIZE_STRING);
$numBrochures = (int) filter_var($_POST['quantity'], FILTER_SANITIZE_NUMBER_INT);

The relevant SQL queries that insert the data are as follows:

if (mysqli_query($conn, "INSERT INTO users(firstName, lastName, email, gender) VALUES('$firstName', '$lastName', '$email', '$gender')") == TRUE) {
  logSuccess($file, "Adding user");
}
else {
  logError($file, "Adding user", mysqli_error($conn));
}

$userId = $conn->query("SELECT `userId` FROM users WHERE `firstName` = '$firstName' AND `lastName` = '$lastName' AND `email` = '$email'")->fetch_object()->userId;
if ($userId == false) {
  logError($file, "Fetching user id", mysqli_error($conn));

}

if (mysqli_query($conn, "INSERT INTO brochureOrders(userId, address, numBrochures, message) VALUES('$userId', '$address', '$numBrochures', '$message')") == TRUE) {
  logSuccess($file, "Brochure Order");
  $sendConfirmationEmail = true;
}
else {
  logError($file, "Brochure Order", mysqli_error($conn));
}

However, in my database, I see entries like the following:

address = "vz8y8E  gghwptvvzuak, [url=http://ytvsmximkjnp.com/]ytvsmximkjnp[/url], [link=http://hiabgyvsjifp.com/]hiabgyvsjifp[/link], http://tyvylndqitoy.com/"

Shouldn't the following have taken care of this?

$address = filter_var($_POST['address'], FILTER_SANITIZE_STRING);

Could someone tell me what I am doing incorrectly here?

  • 写回答

1条回答 默认 最新

  • douhong4452 2014-12-09 18:36
    关注

    Because the OP stated in the comments he wants to switch to prepared statement, I thought I'd show him an example.

    Instead of something like this:

    if (mysqli_query($conn, "INSERT INTO users(firstName, lastName, email, gender) VALUES('$firstName', '$lastName', '$email', '$gender')") == TRUE) {
  logSuccess($file, "Adding user");
}
else {
  logError($file, "Adding user", mysqli_error($conn));
}

    Do something like this:

    $query = "INSERT INTO users (firstName, lastName, email, gender) VALUES(?, ?, ?, ?)";

if($stmt = $mysqli->prepare($query)){
    $stmt->bind_param('ssss', $firstName, $lastName, $email, $gender);
    $stmt->exeucte();
    $stmt->close();
}else die("Failed to prepare!");

    and this

    $query = "SELECT `userId` FROM users WHERE `firstName` = ? AND `lastName` = ? AND `email` = ?";

if($stmt = $mysqli->prepare($query)){
    $stmt->bind_param('sss', $firstName, $lastName, $email);
    $stmt->execute();
    $stmt->bind_result($userId);
    $stmt->fetch();
    $stmt->close()
}else die("Failed to prepare!");
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 WPF 大屏看板表格背景图片设置
  • ¥15 这个主板怎么能扩出一两个sata口
  • ¥15 不是,这到底错哪儿了😭
  • ¥15 2020长安杯与连接网探
  • ¥15 关于#matlab#的问题:在模糊控制器中选出线路信息,在simulink中根据线路信息生成速度时间目标曲线(初速度为20m/s,15秒后减为0的速度时间图像)我想问线路信息是什么
  • ¥15 banner广告展示设置多少时间不怎么会消耗用户价值
  • ¥16 mybatis的代理对象无法通过@Autowired装填
  • ¥15 可见光定位matlab仿真
  • ¥15 arduino 四自由度机械臂
  • ¥15 wordpress 产品图片 GIF 没法显示